- So far this year, there have been at least eight cyberattacks on healthcare and government organizations employing the SamSam ransomware, the Department of Health and Human Services (HHS) said in a report released March 30.
SamSam ransomware attacks have occurred at Indiana-based Hancock Health Hospital and Adams Memorial Hospital, cloud-based electronic health record (EHR) provider Allscripts, the municipality of Farmington in New Mexico, an undisclosed US industrial control system company, Davidson County offices in North Carolina, Colorado’s Department of Transportation, and Atlanta’s systems and services.
In the case of the Hancock Health Hospital attack, the hackers gained access to the hospital system by using a remote-access portal and logged in with a vendor’s username and password.
The hackers used compromised account credentials to target a server located in the hospital’s emergency IT backup facility located miles away from the main campus and made use of the electronic connection between the backup site and the server farm on the hospital’s main campus to deliver the SamSam payload. The hospital ended up paying the $50,000 ransom in Bitcoin to get file access back.
In the Adams Memorial Hospital attack, an outpatient clinic and three physician offices were unable to use that hospital’s network to access patient history or schedule appointments because of the ransomware. This affected between 60 and 80 patients.
In the case of Allscripts, the ransomware attack prevented around 1,500 customers from accessing its cloud EHR applications. Allscripts’ InfoButton, regulatory reporting, clinical decision support, direct messaging, Payerpath, and the electronic prescription of controlled substances service were all taken down because of the attack. The SamSam ransomware variant that infected Allscripts was different than the variant that infected the Indiana hospitals, the report noted.
In February, Colorado DOT’s human resources and payroll systems were infected with SamSam ransomware, which encrypted files on all employee computers running Windows OS and McAfee anti-virus software. As a result, approximately 2,000 computers were pulled offline, and employees were forced to use pen and paper to perform their duties.
In March, the city of Atlanta suffered a ransomware attack that resulted in a loss of access to files and outages to several of the city’s online systems and services, including payment portals for city bills and access to court information.
The attackers demanded $6,800 to decrypt each infected computer or $51,000 for the decryption keys to recover all the infected computers. Security researchers pointed out that certain servers belonging to the city had server message block version 1 (SMBv1) internet facing; this was the same vulnerability that enabled the EternalBlue exploit used to spread both WannaCry and NotPetya ransomwares, the reported noted.
The signature of SamSam attacks is the encryption of files and data with the “.weapologize” extension, the display of a “sorry” message, and the use of a “0000-SORRY-FOR-FILES.html” ransom note, the report related.
The SamSam hackers focus their attacks on open remote desktop protocol (RDP) connections and break into networks by carrying out brute-force attacks against these endpoints. Because SamSam hackers attack RDP connections, HHS recommended that healthcare organizations restrict access behind firewalls with RDP gateways and virtual private networks, use strong/unique username and passwords with two-factor authentication, limit users who can log in using remote desktop, and implement an account lockout policy to help thwart brute force attacks.
Before paying the ransom, victims should consider the following factors, according to the HHS report:
• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom
• Some victims who paid the demand were targeted again by cyber actors
• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key
• Paying could inadvertently encourage this criminal business model
The healthcare sector continues to face challenges from ransomware attacks. These attacks have had material impacts on healthcare services to patients, both through attacks on patient care facilities themselves and through attacks on supporting organizations.
Because of the healthcare sector’s reliance on IT systems and the operational importance of patient data and records, the ransomware risk is expected to increase. HHS said it encourages organizations to use data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.